"Human error" cited in LI.FI's $11.6 million exploit

Key Takeaways

• LiFi experienced a $11.6 million hack due to a vulnerability in a newly deployed smart contract facet.
• The company plans to compensate affected users and is working with authorities to recover stolen funds.

Interoperability protocol LI.FI revealed that its recent exploit was caused by an infinite token approval attack vector. On July 16, 2024, it experienced a security breach resulting in the theft of approximately $11.6 million after affecting 153 wallets that used LI.FI to interact with Ethereum and Arbitrum networks.

The vulnerability emerged shortly after the deployment of a new smart contract facet, which was disabled by LiFi’s team across all chains to prevent further unauthorized access.

Moreover, the exploit stemmed from a lack of validation checks in the new facet, allowing attackers to make arbitrary calls to any contract. The company attributed this to “an individual human error in overseeing the deployment process.”

Assets drained included USDC, USDT, and DAI. LI.FI emphasized that the vulnerability only impacted infinite approvals, not finite approvals, which is the default setting in their API, SDK, and widget.

Additionally, they are working with law enforcement and industry security teams to trace and recover the stolen funds.

“LiFi, with the backing of its major investors, is currently evaluating options to fully compensate affected users as soon as possible,” they stated in the report

In response to the incident, LI.FI reiterated its commitment to security, highlighting existing measures such as multiple audits, monthly auditor retainers, pen-testing, and bug bounties. The company is also reaching out to affected wallet holders for direct communication.